Terms of Service

1. Service Description

unpwned (“we”, “us”, “our”) is an AI-powered security scanning platform accessible at unpwned.io. The service scans domains and infrastructure against multiple security APIs, analyzes the results with AI, and delivers plain-English vulnerability reports and recommended fixes to subscribers (“you”, “user”). unpwned also offers Advanced Security Assessment services that provide extended vulnerability scanning beyond standard scans. Advanced Assessments require separate written authorization as described in Section 3b of these Terms.

unpwned is a software-as-a-service tool. It is not a law firm, insurance product, managed security provider, incident response retainer, compliance auditor, or professional certification body. No report, score, badge, recommendation, email, or support response creates a professional advisory relationship, fiduciary duty, insurer relationship, or duty to protect your systems.

By creating an account or using any part of the platform, you agree to these Terms of Service in full. If you do not agree, you must not use the service.

1a. Public Lookup Service

unpwned provides a public domain security lookup feature accessible without account registration. This feature displays limited security information including a security score, letter grade, and finding category titles derived from previously conducted scans. If no recent scan exists, the feature may allow a visitor to start a fresh public scan without creating an account.

Public lookup results are provided for general informational purposes only and are subject to all disclaimers and limitations of liability described in these Terms. Public results do not include detailed vulnerability descriptions, remediation guidance, AI-generated fix suggestions, or any information identifying the account that initiated the original scan.

Before starting a fresh public scan, you must confirm that you own the domain or have explicit written authorization from the domain owner. This confirmation is a legally binding representation and is logged as described in Section 3a. Anonymous or no-account use does not reduce your responsibility for unauthorized scanning.

By using the public lookup feature or starting a public scan, you agree to these Terms of Service, including Sections 3 (Authorized Scanning), 9 (Limitation of Liability), and 10 (Disclaimer of Warranties).

unpwned reserves the right to modify, limit, or discontinue the public lookup feature at any time without notice.

1b. Public Reports, Badges, and Third-Party Reliance

If you start a no-account public scan, choose to make a report public, share a report link, display an UNPWNED badge, or otherwise publish scan output, you are solely responsible for that publication and for confirming that you have the right to disclose the related security information. Public reports and badges are convenience features only.

A badge, grade, score, public report, or “verified” label is not a certification, warranty, audit opinion, attestation, seal of approval, or guarantee that a website is secure or compliant. Third parties must not rely on UNPWNED output as proof of security, compliance, insurance eligibility, procurement readiness, or legal due diligence.

unpwned may revoke, hide, expire, or recalculate public reports and badges at any time, including after methodology changes, newly discovered vulnerabilities, blocked scanner results, suspected misuse, account termination, or domain-owner opt-out.

2. Eligibility

You must be at least 18 years old and capable of forming a legally binding contract to use unpwned. By using the service you represent that all information you provide is accurate and that you have the authority to scan any domain you submit, either as its owner or with explicit written permission from the domain owner.

3. Authorized Scanning & User Indemnification

Every domain scan you initiate on unpwned constitutes a legally binding declaration that you are either (a) the registered owner of that domain, or (b) in possession of explicit written authorization from the domain owner to conduct security testing on their behalf. This declaration is made under penalty of applicable law.

Checkbox consent is legally binding. Before each scan, including account-based scans and no-account public scans, you are required to check or otherwise submit a consent confirmation stating that you own or are authorized to scan the submitted domain. This confirmation constitutes a legally binding representation and is treated as an electronic signature under applicable electronic signature laws and regulations.

Recurring monitoring authorization. When you enable scheduled monitoring for a domain, your monitoring authorization applies to each recurring scan created under that monitoring configuration until you disable or delete the monitor. unpwned records the monitoring authorization timestamp, source, and hashed request metadata, and associates recurring monitoring scans with that authorization record.

Unauthorized scanning: consequences. If unpwned determines, in its sole discretion, that you have scanned a domain you do not own and for which you do not hold valid written authorization, your account will be immediately and permanently terminated without notice and without refund of any prepaid subscription fees. In addition, unpwned reserves the right to refer the matter, including the full consent audit log, to the relevant law-enforcement authorities and to the domain owner, and will cooperate fully with any resulting criminal or civil investigation.

Scanning a domain without ownership or written authorization may constitute a criminal offense under the Israeli Computers Law, 5755-1995 (Hok HaMahshevim), the U.S. Computer Fraud and Abuse Act (CFAA), applicable federal and state computer fraud statutes (including but not limited to California Penal Code Section 502, New York Penal Law Article 156), the UK Computer Misuse Act, and other applicable computer crime legislation. You acknowledge that you are solely responsible for ensuring your use of unpwned complies with all applicable laws before initiating any scan.

You agree to fully indemnify, defend, and hold harmless unpwned and its operators, directors, employees, and agents from and against any and all claims, damages, fines, penalties, legal fees, and liabilities of any kind arising out of or relating to: (i) your unauthorized scanning of any domain or system; (ii) your breach of any representation made in this section; (iii) any third-party claim that your use of the service violated their rights or applicable law; (iv) any unauthorized testing or activity conducted using the platform, including any claim by a third party alleging unauthorized access to or damage to their systems or data; or (v) any consequences arising from security alerts, log entries, or automated responses triggered on the target system as a result of a scan you initiated.

unpwned reserves the right to disclose your account information, scan history, consent audit logs, and any relevant data to law enforcement or affected third parties upon receipt of a valid legal request, and will cooperate fully with any investigation arising from unauthorized use of the platform.

4. Nature of Active Scanning

You acknowledge and consent to the following activities being performed against any domain you submit for scanning:

• Active HTTP and HTTPS requests to known sensitive paths, including but not limited to /.env, /.git/HEAD, /wp-config.php, and over 30 additional paths.
• TCP port scanning to identify open or exposed ports on the target infrastructure.
• Unauthenticated requests to common API routes, including AI and LLM endpoints (e.g. /api/users, /api/admin, /api/chat, /api/ai) to test for improperly secured endpoints.
• GraphQL introspection queries to probe for exposed schemas at common paths (e.g. /graphql, /api/graphql).
• DNS record enumeration, including TXT, MX, SPF, DKIM, and DMARC lookups, as well as subdomain discovery via A/AAAA record resolution on common subdomain name patterns (e.g. api, admin, staging, dev) to map the attack surface of verified domains.
• JavaScript bundle analysis to scan for exposed API keys, secrets, and source map files.
• SSL/TLS handshake probing to assess certificate and cipher configuration.
• Firebase configuration analysis, including exposed API keys and unauthenticated Firestore collection access.
• Rate limiting verification via rapid sequential requests to test for unprotected endpoints.
• Cloud storage bucket enumeration to test for publicly accessible S3-compatible storage.
• HTTP method testing (HEAD, OPTIONS, PUT, DELETE, PATCH) against discovered endpoints to identify misconfigured access controls. These requests carry no request body and do not modify server-side data.
• CORS policy testing by issuing requests with varying Origin headers to detect overly permissive cross-origin resource sharing configurations.
• Cloaking detection by issuing requests with different User-Agent strings (including search engine crawler identifiers such as Googlebot) to compare the content served to regular visitors versus search engine crawlers, in order to detect SEO spam injection, content cloaking, or indicators of site compromise. This includes fetching and analyzing sitemap.xml for suspicious sub-sitemap counts.
• Known vulnerability (CVE) matching against detected technologies and their versions using data from the National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST). CVE data is synced periodically and matched locally; no scan data is sent to the NVD. This product uses the NVD API but is not endorsed or certified by the NVD.

All requests originate from unpwned's infrastructure and are identified by the User-Agent string UNPWNED-Scanner/1.0. These requests will appear in the target server's access logs and may trigger security alerts, WAF rules, honeypot systems, intrusion detection systems, or automated blocking mechanisms on the target domain. Scans may also cause a temporary increase in log volume and a minor increase in network bandwidth usage on the target system. By submitting a domain for scanning, you explicitly consent to all of the above activities being performed on that domain and accept full responsibility for any consequences on the target system, including but not limited to automated security responses.

Proof of authorization.unpwned reserves the right to request, at any time, proof of authorization from the user who initiated a scan. If satisfactory proof is not provided within a reasonable timeframe, unpwned may suspend or permanently terminate the user's account and disclose relevant scan records to the affected domain owner or law enforcement.

For full details on our scanning methodology, User-Agent identification, and opt-out procedures for domain owners, see our Scanning Policy.

Subdomain scope. When you authorize a scan on a domain, that authorization extends to the domain and all its subdomains (e.g. api.example.com, staging.example.com). Subdomain enumeration, DNS resolution, and active security testing may be performed on any discovered subdomain of the authorized domain. Where a subdomain resolves to third-party infrastructure (such as a CDN, cloud hosting provider, or external SaaS platform), scanning is limited to non-intrusive techniques that do not exceed what a standard web browser request would perform. unpwned does not intentionally target or stress-test third-party shared infrastructure, and any scanning of subdomains hosted on third-party services is conducted solely to assess the security posture of your own configuration on those services.

Third-party infrastructure disclaimer. Your authorization to scan a domain does not extend to third-party infrastructure providers (such as AWS, Cloudflare, Google Cloud, or shared hosting platforms). UNPWNED limits subdomain scanning on third-party infrastructure to passive, non-intrusive techniques that do not interact with the underlying shared infrastructure.

All scans are non-destructive. Standard scans are passive in nature. Deep scans on verified domains may include active testing techniques as described above, but never write, modify, or delete data on your systems. unpwned does not exploit any vulnerabilities it discovers; findings are reported to you for remediation only.

Cached scan results. To reduce load on target infrastructure and to provide faster public lookup responses, scan results for publicly accessible domains may be cached and reused across users for up to 24 hours. Cached results made available to a different user contain only the public severity summary and finding category titles. Detailed remediation guidance, business impact analysis, technical detail, plain-English explanations, and external references are never shared between users. Pro subscribers and verified domain owners always receive fresh, dedicated scans on demand and are never served cached results from another user.

5. Acceptable Use Policy

You agree not to use unpwned to:

• Scan domains, IPs, or infrastructure you do not own or lack explicit permission to test.
• Conduct or facilitate any form of attack, intrusion, or unauthorized access against any system.
• Reverse-engineer, scrape, or otherwise extract data from the platform beyond normal use.
• Resell, sublicense, or redistribute scan results or reports without prior written consent.
• Violate any applicable law or regulation, including computer fraud and abuse statutes.
• Upload or transmit malware, malicious code, or any content that could harm the platform or its users.
• Circumvent rate limits, quotas, or subscription restrictions through automated means.
• Use the public lookup feature to conduct competitive intelligence gathering at scale, automated bulk queries, or any form of systematic data extraction.

We reserve the right to suspend or permanently terminate accounts found in violation of this policy without notice and without refund.

Automated access and scraping. You may not use any automated tool, script, bot, crawler, or scraper to access, extract, or collect data from the unpwned platform, including but not limited to scan results, security scores, report content, API responses, or public lookup data, except through officially provided APIs and within their documented rate limits. Unauthorized automated access constitutes a violation of these Terms and may result in immediate IP blocking, account termination, and legal action under applicable computer fraud statutes.

6. Subscription Plans & Billing

unpwned offers the following subscription plans (all prices in USD):

• Free: $0/month, 2 scans per month, score, grade, full list of finding titles, and severity breakdown. Includes one (1) lifetime deep scan on a verified domain; additional deep scans require a Pro plan. Does not include finding details, business impact explanations, technical remediation steps, AI fix prompts, PDF export, monitoring, GitHub integration, scan history, or security badge.
• Pro 7: $9/month (or $84/year, equivalent to $7/month), 7 scans per month, unlimited deep scans on verified domains, 1 monitored domain with weekly or monthly monitoring frequency.
• Pro 20: $19/month (or $180/year, equivalent to $15/month), 20 scans per month, unlimited deep scans on verified domains, up to 5 monitored domains with every-3-days, weekly, or monthly monitoring frequency.
• Pro 100: $49/month (or $468/year, equivalent to $39/month), 100 scans per month, unlimited deep scans on verified domains, up to 15 monitored domains with daily, every-3-days, weekly, or monthly monitoring frequency.

Monthly plans are billed in advance on the same date each month and renew automatically unless cancelled before the renewal date. Annual plans are billed as a single upfront payment covering 12 months and renew annually unless cancelled before the renewal date. Scan quotas reset at the start of each billing cycle.

All payments are processed by Freemius, which acts as merchant of record for paid UNPWNED subscriptions. By subscribing to a paid plan you agree to Freemius's applicable checkout, payment, tax, subscription, and refund terms in addition to these Terms. unpwned does not store your payment credentials.

We reserve the right to change pricing with 30 days’ advance notice delivered by email or in-app notification. Continued use of a paid plan after a price change takes effect constitutes acceptance of the new pricing.

Free plan changes. The Free plan is provided without consideration. UNPWNED reserves the right to modify, limit, suspend, or discontinue the Free plan at any time and for any reason, including changes to monthly scan quotas and feature availability, without advance notice. These changes do not apply to active paid Pro plans, which remain subject to the 30-day advance notice described above.

6a. Refund and Cancellation Policy

You may cancel your subscription at any time from the account billing dashboard. Cancellation takes effect at the end of the current paid period; you will retain full access to your plan features until that date.

30-day refund guarantee. If you are not satisfied with your purchase for any reason, you may request a full refund within 30 days of the original purchase date, no questions asked. This applies to both monthly and annual plans.

Refunds are processed by Freemius, our payment provider and merchant of record. To request a refund, email [email protected] with your account email and order details. We aim to process all refund requests within 3 business days.

Chargebacks, payment disputes, suspected fraud, or abusive refund activity may result in account suspension, loss of access to paid features, or termination where permitted by law. Statutory cancellation and refund rights that cannot be waived are preserved.

Promotional trial periods. Certain promotional codes grant a free trial period before the first billing cycle begins. No charge is applied during the trial. If you cancel before the trial period expires, you will not be billed. If you do not cancel before the trial ends, your selected plan will activate and the first payment will be processed automatically. The 30-day refund guarantee applies from the date the first paid charge is made.

Israeli consumer rights. For users in Israel: Your statutory cancellation rights under the Consumer Protection Law, 5741-1981 (Hok Haganat HaTzarchan) and the Transaction Cancellation regulations for distance transactions (14-day cooling-off period) are preserved and cannot be waived by these Terms. The 30-day money-back guarantee provided herein exceeds the statutory minimum.

7. Free Plan Limitations

The Free plan is provided as-is for evaluation purposes and is subject to daily and monthly scan quotas as described on the pricing page. We may modify or discontinue the Free plan at any time without liability.

7a. AI-Generated Fix Suggestions

Vulnerability reports produced by unpwned include AI-generated fix suggestions (“Suggestions”). These Suggestions are generated automatically by machine-learning models and are provided for informational purposes only. They do not constitute professional security advice, penetration-testing findings, legal security certification, or any form of guarantee regarding the security posture of your systems.

Professional review required before production use. You must not implement any AI-generated Suggestion directly into a production environment without first having it reviewed and validated by a qualified, independent cybersecurity professional. unpwned Suggestions are a starting point for remediation, not a finished remediation plan. Complexity, system-specific configuration, and interdependencies between software components mean that implementing a Suggestion without expert review may introduce new vulnerabilities, cause system instability, or fail to fully remediate the identified issue.

No liability for AI-suggestion implementation. To the maximum extent permitted by applicable law, unpwned expressly disclaims all liability for any damages, losses, security breaches, data loss, system outages, regulatory penalties, or other harm arising directly or indirectly from your implementation of AI-generated Suggestions, whether or not such Suggestions were reviewed by a security professional. This exclusion applies regardless of the legal theory asserted (contract, tort, negligence, strict liability, or otherwise) and even if unpwned was advised of the possibility of such damages.

Third-party AI providers. To generate fix Suggestions, unpwned transmits a subset of your scan results, including vulnerability identifiers, affected paths, and relevant technical context, to third-party AI model providers. No personal data identifying you as an individual is included in these transmissions beyond what is technically necessary. Your scan data processed by third-party AI providers is subject to those providers' own terms of service, privacy policies, and data-handling practices. By using the Suggestions feature, you acknowledge and accept this third-party processing. We encourage you to review the terms of any AI provider whose services form part of your security workflow.

7b. User-Initiated Remediation & “Fix It” Prompts

unpwned provides a “Copy Prompt” feature that generates pre-formatted instructions (“Fix It Prompts”) designed to be pasted into external AI-assisted coding tools, language-model interfaces, or any other software environment. These prompts are derived from vulnerability scan results and are intended solely as a convenience starting point for remediation.

Sole user responsibility. Any modification, configuration change, code edit, deployment action, or system alteration that you perform, whether by executing a Fix It Prompt in an external tool, manually implementing an AI-generated suggestion, or taking any other remediation action informed by unpwned reports, is undertaken entirely at your own risk and sole responsibility. unpwned does not control, review, validate, or endorse the output produced by any external tool to which you supply a Fix It Prompt.

Assumption of risk. You expressly acknowledge and accept that implementing code changes, server configurations, DNS modifications, or any other technical alterations based on unpwned prompts or reports may result in, without limitation, application downtime, data loss, introduction of new security vulnerabilities, service degradation, regulatory non-compliance, or other adverse effects on your systems, products, or business operations. You assume full and exclusive responsibility for all consequences arising from such actions.

Complete disclaimer. To the maximum extent permitted by applicable law, unpwned, its operators, affiliates, directors, employees, and agents are not liable for any direct, indirect, incidental, special, consequential, or punitive damages, including but not limited to lost revenue, lost data, business interruption, reputational harm, or third-party claims, arising from or related to any action you take based on Fix It Prompts, AI-generated suggestions, scan reports, or any other information provided through the platform, regardless of the legal theory asserted and regardless of whether unpwned was advised of the possibility of such damages.

Mandatory professional review. Before implementing any change to a production system based on unpwned output, you must have the proposed change reviewed by a qualified professional with appropriate expertise in the relevant technical domain. Failure to obtain such review does not limit your responsibility under these Terms but may increase your exposure to adverse outcomes.

7c. No Insurance, Legal Advice, or Incident Response

UNPWNED does not provide cyber insurance, legal advice, regulatory advice, compliance certification, breach counsel, incident response services, managed detection and response, or any financial guarantee against security incidents. You remain solely responsible for deciding whether to obtain legal counsel, insurance, professional security services, backups, monitoring, incident response coverage, and other risk-management measures.

Any business, legal, compliance, or operational impact language shown in reports is general educational information only. It must not be treated as legal advice, insurance advice, audit evidence, or a substitute for advice from qualified professionals familiar with your specific systems and jurisdiction.

8. Intellectual Property

All platform software, design, trademarks, and AI-generated report templates are the exclusive property of unpwned. You are granted a limited, non-exclusive, non-transferable license to use the platform solely for your own security monitoring purposes during an active subscription.

You retain ownership of your domain names and the raw scan data associated with your account. You grant unpwned a limited license to process and analyze that data solely to provide the service.

Feedback and suggestions. Any feedback, ideas, suggestions, feature requests, or other communications you voluntarily submit to unpwned regarding the platform or its services become the exclusive property of unpwned. You hereby irrevocably assign to unpwned all right, title, and interest in such feedback, including all intellectual property rights, without any obligation of compensation, attribution, or confidentiality. unpwned may use, reproduce, modify, distribute, and commercialize such feedback for any purpose without restriction.

8a. Security Telemetry and Aggregated Intelligence

By using the unpwned platform, including initiating any scan, you agree that unpwned may collect, store, and analyze technical security telemetry derived from scan activity for the purpose of building aggregated security intelligence, improving scanner accuracy, measuring scanner reliability, preventing abuse, and publishing market-level security trends.

What we collect. Telemetry is strictly limited to statistical and technical patterns derived from scan results. This includes, but is not limited to: security posture metrics and scores, vulnerability categories and severity levels, technology and infrastructure characteristics, protocol and configuration attributes, and industry-level classifications. All telemetry is collected at the pattern level only and may be expanded over time as the platform evolves.

Internal linkage. Internal telemetry records may be linked to the underlying scan ID so we can de-duplicate records, debug scanner behavior, suppress test scans, investigate abuse, and honor opt-out or deletion requests where applicable. This internal linkage is not included in public statistics, public research, or external datasets.

What we do not publish. Public telemetry, research, benchmarks, and threat statistics do not include your account identifier, billing data, email address, raw scan output, source-code file contents, API keys, secrets, credentials, or information that is intended to identify the original scanning user. Domain-level scores may still be shown through the public lookup feature as described in Section 1a.

Purpose and use. Aggregated telemetry may be used to publish anonymized industry research, security trend reports, and benchmark indices (such as framework security risk analyses). We design published telemetry so that no individual account or scan requester is identified.

You may opt out of telemetry collection at any time by emailing [email protected]. Opting out does not affect your access to any platform features.

Aggregated security scores and finding category titles may also be displayed through unpwned's public domain lookup feature, which shows limited results without identifying the original scanning user or account.

9. Limitation of Liability

unpwned is a security monitoring and advisory tool. It does not guarantee the detection of all vulnerabilities, nor does it provide penetration testing or legal security certification. Scan results are informational only.

To the maximum extent permitted by applicable law, unpwned, Raz Azulay as sole proprietor, and any operators, contractors, service providers, affiliates, or agents shall not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages arising from your use of or inability to use the service, including but not limited to loss of data, security breaches, lost profits, business interruption, reputational harm, loss of goodwill, third-party claims, regulatory investigations, or remediation costs, even if advised of the possibility of such damages.

Our total aggregate liability for any claim arising out of these Terms shall not exceed the amount you paid us in the 12 months preceding the claim, or $100, whichever is greater.

No remediation obligation. unpwned is not obligated to monitor, follow up on, or verify whether vulnerabilities identified in scan reports have been remediated by the domain owner. The responsibility for evaluating, prioritizing, and remediating any identified security issues lies solely with you. unpwned shall not be held liable for any damages, breaches, or losses resulting from your decision not to remediate, or your delay in remediating, any vulnerability reported by the platform. Delivery of a scan report does not create a duty of care, an ongoing advisory relationship, or any obligation on the part of unpwned to ensure that reported vulnerabilities are addressed.

Nothing in these Terms excludes or limits our liability for: (a) death or personal injury caused by our negligence; (b) fraud or fraudulent misrepresentation; (c) any liability that cannot be excluded or limited by applicable law, including under Israeli, EU, or US consumer protection laws.

10. Disclaimer of Warranties

The service is provided “as is” and “as available” without warranties of any kind, express or implied, including warranties of merchantability, fitness for a particular purpose, or non-infringement. We do not warrant that the service will be uninterrupted, error-free, or completely secure.

No warranty of complete vulnerability coverage. We expressly do not warrant that any scan will detect all vulnerabilities present in a target domain, system, or associated infrastructure. unpwned's scan checks cover a defined set of security categories and are not a complete or exhaustive source of all known, unknown, or emerging vulnerabilities. Vulnerabilities may exist in your systems that fall outside the scope of unpwned's checks, that require authenticated access to detect, or that are not yet publicly disclosed at the time of scanning. The absence of findings, a clean scan result, or a high security score does not mean your systems are free of vulnerabilities.

Scan results are point-in-time only. New vulnerabilities are discovered and publicly disclosed on a daily basis. A scan result reflects the security posture of the target domain only at the specific date and time the scan was performed and may become outdated immediately thereafter. unpwned makes no warranty that a previously clean result remains accurate after the time of scanning. Furthermore, a passing scan or high security score does not constitute a security certification, compliance attestation, or guarantee of any kind with respect to any regulatory framework, industry standard, or contractual security obligation. You remain solely responsible for maintaining an ongoing security program and for engaging qualified professionals to assess your security posture.

11. DMCA & Copyright

If you believe any content on unpwned infringes your copyright, please send a notice to[email protected] with:

• Identification of the copyrighted work claimed to be infringed.
• Identification of the infringing material and its location on the platform.
• Your contact information.
• A statement of good faith belief that the use is not authorized.
• A statement, under penalty of perjury, that the information in your notice is accurate.

We will investigate and respond to valid DMCA notices in accordance with applicable law.

Counter-notification. If you believe material was removed in error, you may submit a counter-notification to [email protected] containing: (1) identification of the material removed; (2) a statement under penalty of perjury that removal was a mistake; (3) your name, address, and consent to Tel Aviv court jurisdiction; (4) your signature.

Repeat infringer policy. UNPWNED maintains a policy to terminate accounts of users who are repeat copyright infringers.

UNPWNED's scanning activities are limited to publicly accessible content and do not circumvent any technological protection measures within the meaning of DMCA Section 1201.

11b. Prohibited Platform Exploitation

You agree not to probe, test, or exploit the security of the unpwned platform itself, including but not limited to: attempting to escalate account privileges, accessing data belonging to other users, manipulating subscription or billing records, bypassing authentication or authorization controls, or interfering with platform infrastructure.

Any attempt to exploit a vulnerability in the unpwned platform (as opposed to a domain you are authorized to scan) constitutes a material breach of these Terms and will result in immediate account termination without notice or refund. unpwned reserves the right to pursue all available legal remedies, including but not limited to civil damages and referral to law enforcement under applicable computer fraud and abuse statutes.

If you discover a security vulnerability in the unpwned platform, you must report it responsibly to [email protected]. Do not access, modify, or exfiltrate any data beyond the minimum necessary to demonstrate the issue. Responsible disclosure in good faith will not result in legal action.

11c. Security Incident Notification

In the event of a confirmed security incident that results in unauthorized access to user personal data or account credentials, unpwned will notify affected users and/or regulators where required by applicable data protection law, including the EU General Data Protection Regulation (GDPR) where applicable.

Notification will include: a description of the nature of the incident, the categories of data affected, the measures taken to address the breach, and recommended steps users should take to protect themselves. unpwned will also notify the relevant supervisory authority where required by law.

Password security. User passwords are stored exclusively as one-way cryptographic hashes (bcrypt) and cannot be recovered or read in plaintext, even in the event of unauthorized database access. unpwned never stores, logs, or transmits passwords in cleartext.

12. Termination

You may cancel your account at any time from the account settings page. We reserve the right to suspend or terminate your account immediately for violations of these Terms, non-payment, or any activity we determine to be harmful to the platform or other users.

Upon termination, your right to access the service ceases immediately. We may delete your data in accordance with our Privacy Policy.

13. Governing Law

These Terms are governed by and construed in accordance with the laws of the State of Israel, without regard to conflict of law principles. Any dispute arising from or relating to these Terms or your use of the Service shall be subject to the exclusive jurisdiction of the competent courts in Tel Aviv-Jaffa, Israel. Notwithstanding the foregoing, we reserve the right to seek injunctive relief in any court of competent jurisdiction to protect our intellectual property rights.

Notwithstanding the foregoing, nothing in these Terms prevents either party from seeking injunctive or other equitable relief in any court of competent jurisdiction. Users in the United States may bring individual claims in their local small claims court, provided the claim falls within the court's jurisdictional limits.

Class action waiver. To the maximum extent permitted by applicable law, you agree that any dispute arising out of or relating to these Terms or your use of the service shall be resolved on an individual basis only. You waive any right to participate in any class action, class arbitration, consolidated action, or representative proceeding against unpwned. If this waiver is found to be unenforceable in your jurisdiction, the remainder of this dispute resolution section shall continue to apply in full.

13a. California Privacy Rights (CCPA/CPRA)

For users in California: Additional privacy rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are described in our Privacy Policy. You may exercise your right to opt out of the sale or sharing of personal information via the “Do Not Sell or Share” link in our website footer.

14. Changes to These Terms

We may update these Terms from time to time. We will notify you of material changes by email or via an in-app banner at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance.

15. Email Communications

Transactional emails. Emails related to scan results, security alerts, account notifications, billing confirmations, and service operation are sent as necessary for the provision of the service and do not require separate opt-in consent.

Marketing emails. Promotional and marketing emails, including product announcements, feature updates, and special offers, require your opt-in consent before being sent. You may unsubscribe from marketing emails at any time via the unsubscribe link included in each email.

Unsubscribe requests are honored within 10 business days. In accordance with the CAN-SPAM Act (15 U.S.C. 7701 et seq.), all commercial emails include our physical business address and a clear unsubscribe mechanism.

16. Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under these Terms to the extent that such failure or delay results from circumstances beyond the party's reasonable control, including but not limited to: acts of God, natural disasters, epidemics or pandemics, war, terrorism, riots, civil unrest, government actions or sanctions, embargoes, fire, flood, earthquake, power outages, internet or telecommunications failures, cyberattacks on third-party infrastructure (including hosting providers such as Vercel, Supabase, or Cloudflare), strikes or labor disputes, or any other event that could not have been reasonably foreseen or prevented.

The affected party shall promptly notify the other party of the force majeure event and use commercially reasonable efforts to mitigate its effects. If a force majeure event continues for more than 30 consecutive days, either party may terminate the affected services without liability, and unpwned shall issue a pro rata refund for any prepaid fees covering the period of unavailability.

17. Assignment

You may not assign, transfer, delegate, or sublicense any of your rights or obligations under these Terms without the prior written consent of unpwned. Any attempted assignment without consent shall be void and of no effect.

unpwned may assign these Terms, in whole or in part, to any affiliate or successor entity in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets, provided that the assignee agrees to be bound by these Terms.

18. Export Control and Sanctions Compliance

You represent and warrant that you are not located in, under the control of, or a national or resident of any country subject to comprehensive trade sanctions, including but not limited to those imposed by the United States (OFAC), the European Union, the United Nations, or the State of Israel.

You may not use unpwned if you are listed on any sanctions or restricted party list, including the U.S. Specially Designated Nationals (SDN) list, the EU Consolidated Sanctions list, or any equivalent list maintained by applicable governmental authorities. You agree not to use the service for any purpose prohibited by applicable export control laws.

unpwned reserves the right to suspend or terminate accounts and block access from jurisdictions subject to sanctions at any time without notice.

19. Publicity

By subscribing to a paid plan, you grant unpwned the right to identify you as a customer and to use your company name, trademark, and logo in marketing materials, customer lists, case studies, and on the unpwned website, unless you notify us in writing at [email protected] that you wish to opt out. We will remove your information within 10 business days of receiving such request.

20. Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, shall be severed from these Terms. The invalidity or unenforceability of any provision shall not affect the validity or enforceability of the remaining provisions, which shall continue in full force and effect.

21. Entire Agreement

These Terms, together with the Privacy Policy, Scanning Policy, and any applicable Data Processing Agreements, constitute the entire agreement between you and unpwned with respect to the use of the service. These Terms supersede all prior or contemporaneous communications, proposals, and agreements, whether oral or written, between you and unpwned regarding the subject matter hereof.

No waiver of any provision of these Terms shall be deemed a further or continuing waiver of such provision or any other provision. unpwned's failure to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.

22. Contact

Questions about these Terms? Email us at [email protected].